Tag Archives: technology

Abstract

We can see in 2001 that 77 percent of employers were engaged in monitoring. This may have increased slightly or decreased slightly, but whatever has happened, we know that this is a significant amount of employers–much greater than a majority–that are engaging in monitoring of their employees. We can also see the great rise in monitoring of computers and electronic files in a ten-year period between 1997 and 2007.

Finally, we can see some of the newer technologies. In 2007, twelve percent of the reporting employers were monitoring the blogosphere, eight percent were monitoring GPS vehicle tracking, and ten percent were monitoring social networking sites. Probably, some of you are working with social networking policies with the companies that you are involved with. This is a hot topic right now. ….

That gives you a picture of what the technology looks like, what the statistics are, and what we are grappling with in terms of the law here. In terms of the law, I am going to talk about the Electronic Communications Privacy Act (“ECPA”). There are also some state statutes that are going to be relevant. There is the tort that we are all very familiar with, dating back to Brandeis’ day, of the invasion of privacy, which is invasion of seclusion. And then finally we know that right now there is the hot topic with the Quon case coming down last term with the Fourth Amendment and public-sector employers and employees.

hldataprotection.com informs that Last week, Michigan enacted a social media privacy law that prohibits employers and educational institutions from requesting access to the personal social media or other internet-based accounts of employees or students.

♦ The new law, known as the Internet Privacy Protection Act, provides that employers or educational institutions (ranging from elementary schools through institutions of higher learning) may not request or require an employee, job applicant, or current or prospective student to grant access to or disclose login information for the individual’s “personal internet account,” which is defined broadly as an “account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.”

♠ Nevertheless, the law has consistent exceptions:

1. The employer pays for an “electronic communications device,” in whole or in part;

2. The account or service is provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes;

3. An employee transfers the employer’s “proprietary or confidential information or financial data” to the employee’s personal internet account without authorization;

4. The employer is conducting a workplace investigation, provided that the employer has “specific information” about activity on the employee’s personal internet account or the unauthorized transfer of the employer’s data to the employee’s account; or

5. The employer is “monitoring, reviewing, or accessing electronic data” traveling through its network.

Exception No. 5 makes us wonder whether it does not cover all the situations in which an employee accesses his/her personal e-mail account or Facebook page from a device connected to the employer’s wi-fi network.

The Act establishes (section 8) that the maximum fine for breaching the internet privacy provisions is 1.000 $.

♥ With the enactment of this statute, Michigan joins California, Maryland, Illinois, and New Jersey in restricting employers from accessing employees’ and applicants’ social media accounts. Delaware and New Jersey have also passed laws protecting the privacy of students’ social media accounts. The coming year should see additional legislative activity in this area, as social media privacy bills are under consideration in Missouri, Texas, and other jurisdictions.

(“NPC”) of the People’s Republic of China passed the Resolution of the Standing Committee of the NPC Relating to Strengthening the Protection of Information on the Internet (the “Regulations”). The Regulations contain significant and far-reaching requirements applicable to the collection and processing of electronic personal information via the Internet.

♣ The Regulations begin with two broad statements that, on their face, are not limited to information processing on the Internet:

♠ (1) the State will protect electronic information that can identify individuals and implicate their private affairs, and

♥ (2) no organization or individual may misappropriate or otherwise obtain electronic personal information by unlawful means, or sell or otherwise unlawfully provide it to other persons. The Regulations then set forth a number of requirements that are more specifically directed at Internet service providers (“ISPs”) and other businesses that handle electronic personal information, including:

ISPs and other businesses must adopt and comply with rules for their collection and use of electronic personal information, and make the rules publicly known.

ISPs and other businesses must clearly state the purpose, means and scope of their collection and use of electronic personal information, and obtain the consent of the data subject for such collection and use.

ISPs and other businesses must maintain electronic personal information in strict confidentiality.

ISPs and other businesses must not divulge, alter or destroy electronic personal information obtained in the course of their business activities, and may not sell it to other persons.

ISPs and other businesses must adopt information security safeguards, and must take immediate remedial measures in the event of a security breach incident.

ISPs must report security breach incidents to relevant government agencies.

panel Jan Philipp Albrecht, Member of the European Parliament – Green (EU), speaker from DPA, speaker from BEUC, speaker from EP, speaker from DG Connect

The panel will present a state of play of the key debates surrounding the proposed data protection regulation, as well as different perspectives on the draft report currently discussed in the European Parliament.

11.45 The European Data Protection Framework Under Review: The Proposed Directive

This edition of the Privacy Platform concerns the different dimensions of Cyber Security. Troels Oerting, director of the new Europol Cybercrime Center, and experts Bart Jacobs, Marc Rotenberg and Axel Arnbak will present the offensive and defensive aspects of Cyber Crime.

15.15 Coffee break

15.30 US And Transatlantic Debates: A New Direction For US Online Consumer Rights

This panel on consumer protection will review the post release of the Obama Administration’s white paper “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” The panel will explore the consequences for consumers should the EU and US fail to reach an agreement on how to best protect online consumers. President Obama’s administration is working to create a new mechanism that involves a multi-stakeholder process managed by the Department of Commerce. The Department of Commerce first multi-stakeholder process, now underway, addresses mobile application transparency. The force of regulation for the work done by the Department of Commerce would come from the Federal Trade Commission.

Key points to be discussed:

The US work to create new online consumer privacy protections through expansion of the current sector based approach.

Is there an unresolvable US and EU mismatch on how privacy is defined in a digital global economy?

How can we measure whether the EU legislative effort and the Obama Administration effort will resolve conflicts in how online consumer privacy will be seamlessly protected?

16.45 US and Transatlantic Debates:Ggovernment and law enforcement use of data (till 18.00)

The common understanding is that the US and Europe have very different privacy regimes. But are they really so different on law enforcement and National Security matters? Or is there an emerging ‘transatlantic approach’ that some argue values the interests of the State over personal liberty and jeopardizes fundamental European principles?

A transatlantic panel of government and NGO representatives will discuss:

Whether the draft European Privacy Directive tilts too far to law enforcement and the National Security institutions and how does the US view the directive.

Whether our privacy can be protected by the overarching agreement on the exchange of personal data that the EU and the US are negotiating;

How freely does our personal data flow across the Atlantic and how can European personal data be protected when it is in the hands of American law enforcement and national security agencies?

18.00 Cocktail Offered By The International Association Of Privacy Professionals (IAPP)(till 20.00)

The privacy profession has grown from the ground up, not mandated by legislation but rather a response to fundamental business needs.

Personal data have become an increasingly valuable asset class, fueling the new economy and presenting businesses with unprecedented opportunities and challenges.

Privacy and data protection are now board level issues. Management has realised that privacy is distinct from data security and must be dealt with by dedicated individuals who have strategic, policy, compliance and technical competence.

The draft EU Data Protection Regulation is set to mandate the appointment of a data protection officer for businesses that do not yet have one.

This panel will feature some of the leaders of the privacy profession from both sides of the Atlantic. They will discuss the past, present and future of the privacy profession and draw lessons from the experience of U.S. CPOs for EU DPOs, and vice versa.

Privacy Impact Assessments are definitely high on the EU agenda. After the endorsement of the RFID PIA Framework by the Article Working Party Group and the smart grids PIA Framework, Art. 33 of the EC Proposed General Data Protection Regulation enshrines the tool in the EU data protection legal framework.

This panel envisages tackling the following PIA-related challenges:

Integration: Can PIA address other fundamental rights than privacy and data protection (the right not to be discriminated against for instance)? Can these tools also take additional non-legal issues into consideration such as ethical or surveillance issues? Is it possible to integrate such diverse considerations within one single instrument?

Implementation: If integrated PIAs are the way forward, what level of complexity can firms of public bodies handle concerning impact assessment? How many impact assessments should be conducted in the course of the preparation of a project? How much time is required to carry out an integrated PIA?

Standardisation: Is the current diversity of PIA methodologies something to be welcomed or, on the contrary, a threat to unified, standardised and integrated PIAs ? If the EU adopts a policy or standards on PIA, what are the key elements in an “integrated” PIA?

15.15 Coffee break

15.30 Data Protection Accountabiliy – Who creates the account?

co-organised by the Human Technology Lab at Technical University Berlin, the EU FP7 project SIAM and CPDP

The principle of accountability in the context of data protection formulates a way to bridge the gap between theory and practice of data protection. Binding Corporate Rules and Impact Assessments enhance the commitment to and demonstrability of effective data protection measures, but in the end the open question remains: What is and who creates the account that demonstrates effective data protection and makes it visible for the user?

A number of questions emerge from this perspective. For example, how the technology-oriented process can be made transparent and reflexive. How can diverging interests be negotiated along the path of development? How can “Privacy by Design” be advanced to “render an account” as well? How can data protection accountability be implemented within organizations and made visible to the data subjects?

Since the publication of the Proposal for a General Data Protection Regulation in January 2012, there have been many different opinions on the effectiveness of this new tool and on its impact. One year later we want to draw some first conclusions and discuss the influence that the proposed regulation could have on health data processing.

Whereas a category for sensitive data will remain to exist and also provides for derogations for health data in the future, there are many changes which will impact the processing of health data. There is a concern about the definition of consent, the possible existence of a “significant imbalance” in the doctor-patient relationship, an administrative burden for small clinics as a result of Impact Assessments and data protection officers. New rights, like the right to be forgotten, might change the way how health data have to be handled in future. Currently, many open questions remain and problems like the relationship between the proposed right to be forgotten and the right to have one’s health data erased have to be clarified.

Therefore, it will be discussed which changes can be expected for health data processing and for healthcare professionals if the proposal will be implemented, which advantages and disadvantages this will bring for the privacy of patients and if the proposed regulation responds to the changing needs in health data processing.

Medical confidentiality is one of the essential features of the different professions in healthcare and crucial for the protection of a patient’s privacy and trust in healthcare. Nowadays, however, healthcare professionals are often facing conflicts of medical confidentiality and recent developments in society.

Knowledge of possible child abuse brings doctors in a conflict of interests: protecting confidentiality or preventing physical damage to patients or others? Violent events like rampages in schools, shopping centres and most prominently in the Norwegian capital Oslo and at the island Utoya confront healthcare professionals with the demand to breach medical confidentiality when public safety could be at stake.

Furthermore, technological innovations in healthcare might also challenge medical confidentiality. Never before, it has been so easy to exchange patient data between different actors in healthcare, by means of electronic networks or even by social media. It is therefore important to elaborate to what extent these new ways of data exchange threatens patients’ privacy and conflicts with the traditional understanding of medical confidentiality.

Every year, CPDP puts under the spotlight an EU Member State. This year it is the turn of Poland as 2012 marked the 15th anniversary of constitutional and statutory protection of personal data therein. The new Constitution and the Personal Data Protection Act (both 1997) constitute one of the hallmarks of the democratic change in Poland. This panel will offer a critical analysis on how public authorities use personal data and will focus on surveillance, data retention and data subject’s rights. Special attention will be given to issues such as balancing security and privacy in the (controversial) research project ‘INDECT’ and processing of personal data for religious purposes.

The concept of ‘gamification’ – referring to the use of game elements, designs and strategies to encourage certain desired actions in non-game contexts – is currently all the rage. This panel explores the use of these techniques in policy-making (for example to reduce energy consumption or to ameliorate urban transportation systems), paying special attention to the privacy and reputational risks that may emerge from these applications. The panel will also explore gamification as a mechanism for improving privacy and information security decision making, and in particular the following issues:

How can gamification be applied to improve policy outcomes?

What are the emergent privacy risks in gamified contexts?

How can gamification help to overcome the divergence between the existing legal rules on data protection and the actual behaviour of users?

How can we use gamification as a privacy policy tool?

15.15 Coffee break

15.30 What are the key prerequisites for successful self-regulation?

hosted by Nicolas Dubois (DG JUST, European Commission) and Dennis Hirsch (Capital University Law School)

panel Gwendal Le Grand, CNIL (FR), Sarah Spiekermann, Vienna University of Economics and Business (AT), Speaker from EDRi, Speaker from the Vodafone Privacy Team

Is a technology neutral and harmonised legal baseline a prerequisite for successful self-regulation?

In synergy with regulation, information security technology is expected to play a critical role in enforcing the right for privacy and data protection. In this panel

session we will discuss the role of security in privacy by design and by default. Standardisation and certification issues for security and privacy will be also covered. The focus is on technological means to support privacy and data protection.

Topics to be discussed include:

Privacy by default embedded in technology, first examples

Certification, accreditation and the use of emblems for enhancing privacy by default

The role of standardization in reaching the privacy by design and privacy by default principles

New ideas and suggestions for promoting privacy principles in design stage

CPDP2013 side events first day

20.00 Book presentation of ‘LIQUID SURVEILLANCE: A CONVERSATION’ by David Lyon with roundtable discussion @ De Markten

drinks from 19.30

organised by the Living in Surveillance Societies – LiSS-COST Action and LSTS-VUB, and in cooperation with deBuren, De Markten and Polity Press,

Surveillance is a product of the modern world and as this world has become liquefied so too has surveillance. Why do people so willingly comply with surveillance and how does this liquidity suck everyone into is stream as participants?

Professor David Lyon, Director of the Surveillance Studies Centre at Queens University, Canada will give a presentation about his new book Liquid Surveillance: A Conversation which he has written together with Zygmunt Bauman (Professor Emeritus of Sociology at the University of Leeds).

Washingtonpost.com writes that the US federal government on Wednesday announced a landmark update to child online privacy laws, establishing guidelines that make it harder to track a gadget-obsessed generation with constant access to the Web.

The Federal Trade Commission’s new rules come amid a two-year debate over how far the government should go to protect the privacy of children 12 and younger without curbing the business practices of a thriving Web economy that relies on their data for advertising.

Under new amendments, the FTC said firms must seek permission from parents to collect a child’s photographs, videos and geo-locational information — all content that social media, online games and mobile devices have made easy to share.

The aim of the revisions, the FTC said, was to clarify that much of today’s most popular uses of the Web should be more closely guarded when done by children.

A company such as Google or Viacom must also have a parent’s consent before using tracking tools, such as cookies, which use IP addresses and mobile device IDs to follow a child’s Web activity across multiple apps and sites.

Reuters.com informs that an Italy prosecutor has asked an appeals court to uphold jail sentences for three Google executives charged with violating the privacy of an Italian boy with autism by letting a video of him being bullied be posted on the site in 2006.

“Not only has the privacy of minors been violated but lessons of cruelty have been given to 5,500 visitors,” Milan prosecutor Laura Bertole Viale said on Tuesday at the appeals hearing.

Four students at a Turin school uploaded a mobile phone clip to Google Video in 2006 showing them bullying the boy. The prosecutors accused Google of negligence, saying the video remained online for two months even though some Web users had already posted comments asking for it to be taken down.

In February 2010, a court gave each of the three Google executives, none of whom were based in Italy, six-month suspended jail sentences.

Senior vice-president and chief legal officer David Drummond, former Google Italy board member George De Los Reyes and global privacy counsel Peter Fleischer did not face actual imprisonment as the sentences were suspended.

Google appealed the ruling which it described at the time as an attack on the fundamental principles of freedom on which the Internet is built.

The company argued it removed the video immediately after being notified and cooperated with Italian authorities to help identify the bullies and bring them to justice.

In the annual activity report it pubslihed in July, CNIL underlines that the proposed regulation on protection of personal data the European Commission published early in 2012 cuts too much of the national DPA’s power with regard to transnational processing.

HLdataprotection.com reviews the report and writes that the proposed new European regulation drew criticism in the CNIL’s report on three points. First, the CNIL expressed concern that making a single data protection authority responsible for the European-wide activities of an enterprise could result in a significant decrease in the level of protection of individuals. Citing the example of a social network whose main establishment is located in another European member state, the CNIL said it was inappropriate to reduce the role of the French data protection authority (“DPA”) to a simple mailbox to forward complaints to the principal DPA responsible for the social network’s activities. According to the CNIL, a French user who is harmed by the activities of an enterprise doing business in France should be able to look to the French regulator for redress.

The second point on which the CNIL diverges from the Commission is on the issue on international data transfers. The CNIL believes that transfers to countries that have not been recognised as providing adequate protection should be based on contractual clauses or BCRs that have been approved in advance by the CNIL. Under the proposed regulation, an international transfer based on standard contractual clauses will not require the prior approval of the DPA.

Finally, the CNIL made the point that the new accountability measures included in the draft regulation should not be viewed as a form of self-regulation, or as a trade-off for less regulatory supervision. Instead, the accountability measures should be viewed as a supplement to existing regulatory principles and enforcement practices.

Big Brother is getting bigger and bigger. I bet Orwell’s self esteem would have had a boost if he were to live today. The guy truly was a visionary.

The Economist writes about the several techniques of surveillance and face recognition functioning today and reading about them can bring chills on one’s spine.

“As for businesses, Quividi, a French marketer, can measure the age and gender of passers-by who linger at an advert; advertisers vary their offerings based on who is looking. A service called SceneTap gives similar information on the crowd in Chicago bars. The smiles of employees at Keihin Electric Express Railway in Japan are assessed by computer. Facebook, a social network, recognises uploaded photos. The latest smartphones can spot their users.”

But the thing is governments are more and more interested in using these technologies. Read the whole report HERE.

Wordpress.com uses cookies on this blog. I've limited them as much as customization allows me & I have no access to or control over the personal data they collect. Consent will be recorded after you click the button, and not just by mere scrolling. The widget doesn't provide an "I refuse" button & I'm writing to Wordpress to fix this. In the meantime, see their
Cookie Policy